Hardened GitHub Actions security by protecting secrets using enviroments and limiting workflow runs on protected branches.
CHALLENGE:
Problem:
Bad actors could inject malicious scripts into GitHub Actions.
Workflows run on pull requests, so any custom GitHub Action steps could be run.
Action:
Fix #1:
[x] Add CODEOWNERS file, requiring a review by me before .github/workflow changes are added to main branch
Fix #2:
[x] Refactored GitHub Actions to correct Continuous Integration workflow. ONLY run building and testing, not publishing in this action.
Fix #3:
[x] Reconfigure GitHub Actions to use enviroments for ci and production
[x] Update EXAMPLE REPOSITORY secrets in resources/
GitHub secrets can be accessed in a GitHub actions.
A bad actor could COPY the secrets values to a file, and then simply print the file contents.
GitHub Actions prints out logs of the virtual machine, which can be viewed.
Fix #4:
BRANCH Refactor - protect the main production branch, and use development branch for features
Trello Ticket #115
Issue #47
Hardened GitHub Actions security by protecting secrets using enviroments and limiting workflow runs on protected branches.
CHALLENGE:
Problem:
Bad actors could inject malicious scripts into GitHub Actions. Workflows run on pull requests, so any custom GitHub Action steps could be run.
Action:
Fix #1:
.github/workflow
changes are added tomain
branchFix #2:
Fix #3:
resources/
GitHub secrets can be accessed in a GitHub actions. A bad actor could COPY the secrets values to a file, and then simply print the file contents. GitHub Actions prints out logs of the virtual machine, which can be viewed.
Fix #4:
BRANCH Refactor - protect the main production branch, and use development branch for features
Branch protection:
main branch =>
Other Research
USING GIT FLOW: RND: Intro to git flow command -
git flow
cheatsheet Git flow usage example - ArticleStep 1: Configure Git flow
Step 2: create feature branch
Step 3: finish the feature, commit the changes